Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Patch Train Leaves the Station

CmdrTaco posted more than 9 years ago | from the a-whole-lotta-security-going-on dept.

Windows 361

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

Sorry! There are no comments related to the filter you selected.

Witty Headlines (-1, Offtopic)

Gothmolly (148874) | more than 9 years ago | (#12823090)

What is this, Fark? I thought we put the funny editorializing in the "from the xxxx dept." tagline here.

Re:Witty Headlines (0, Redundant)

makaveli2005 (888857) | more than 9 years ago | (#12823097)

Ill stick to firefox thankyou.

Re:Witty Headlines (0)

RaffiRai (870648) | more than 9 years ago | (#12823163)

Is this really still "insightful" on Slashdot?

Re:Witty Headlines (0)

Anonymous Coward | more than 9 years ago | (#12823472)

Yes. Everything that glorifies Applè, Mozillá or Göôgle makes the über-sexy moderators [nylug.org] release a trickle of greasy semen [sites-xxx.com] in their smelly Debian-thong [cafepress.com] .

Re:Witty Headlines (1)

ehaggis (879721) | more than 9 years ago | (#12823388)

MS releases a patch and it's news?

Good for... (-1)

Anonymous Coward | more than 9 years ago | (#12823099)

...people who still use windows.

Large size crash (5, Interesting)

Anonymous Coward | more than 9 years ago | (#12823101)

Does this fix the crash with large streched images?
ie width=9999999 height=999999 in an

IE PNGs (4, Insightful)

Enigma_Man (756516) | more than 9 years ago | (#12823111)

That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

-Jesse

Re:IE PNGs (2, Insightful)

RaffiRai (870648) | more than 9 years ago | (#12823127)

Transparencies appear grey in IE.

Re:IE PNGs (5, Informative)

swilde23 (874551) | more than 9 years ago | (#12823274)

That's mostly true... but you can mangle your way around it...

http://blogs.msdn.com/dmassy/archive/2004/08/05/20 9428.aspx [msdn.com]

Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.

The smart developers call these bugs... features :)

The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.

Re:IE PNGs (1, Funny)

Anonymous Coward | more than 9 years ago | (#12823372)

Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet.

Yeah, that's good thinking! It's hard to believe Steve Ballmer is in charge of Microsoft, and not you!

Re:IE PNGs (1)

Frank T. Lofaro Jr. (142215) | more than 9 years ago | (#12823415)

How are you going to download a browser if you don't already have a browser?

Don't say FTP.

Re:IE PNGs (1)

BRonsk (759601) | more than 9 years ago | (#12823462)

How are you going to download a browser if you don't already have a browser?

FTP ?

Re:IE PNGs (1)

packetl0ss (887279) | more than 9 years ago | (#12823475)

ISP's regularly ship Internet Explorer on their "Setup" CDs, so why can't they also ship alternative web browsers such as Firefox or Opera on those same CDs?

Re:IE PNGs (1)

smitty_one_each (243267) | more than 9 years ago | (#12823488)

1. Install one of the various scripting languages with an HTTP library, write download script.
2. ????
3. Profit.

It's a /. tradition, don't you know?

Forgive my ignorance (4, Funny)

J Barnes (838165) | more than 9 years ago | (#12823113)

but is there an obvious point where software become more patch then content?

Lately I envision all Microsoft products as lumbering stay-puff marshmallow men, ambulating labored steps inside a comical suit of band-aids.

Re:Forgive my ignorance (4, Insightful)

Tarcastil (832141) | more than 9 years ago | (#12823143)

You do realize the Linux kernel is heavily dependent upon patches.

Re:Forgive my ignorance (1)

MountainMan101 (714389) | more than 9 years ago | (#12823205)

Yes. Perhaps the GP poster meant binary patches. The patches to the Linux kernel are just the way the kernel evolves. The MS patches are fixes applied after it has been built.

Re:Forgive my ignorance (1)

xtracto (837672) | more than 9 years ago | (#12823255)

What is the difference?

Microsoft has the source code, they just make the improvements, rebuild the files and perform DIFFs.

Personally I think its better to apply a binary patch than to have to recompile a kernel just to upgrade it from x.x.11 to x.x.12

Anyway, patches are not wrong, God! if MS software has an unpatched bug it is his fault and it is bad, then if he releases a patch it is also bad because his software is patched.

This is not a patch as the normal dictionary word define it, software patches are used to modify the behaviour of the software. It is like when you changed the breaks from your bycicle from the pedal brake to the hands brake.

Re:Forgive my ignorance (1)

ajs318 (655362) | more than 9 years ago | (#12823353)

Personally I think its better to apply a binary patch than to have to recompile a kernel just to upgrade it from x.x.11 to x.x.12
Then you might want to check out this really cool game I wrote. I've compiled it for you already, so you won't have to muck about compiling it yourself or anything .....

Re:Forgive my ignorance (2, Funny)

PakProtector (115173) | more than 9 years ago | (#12823396)

You know what? Most of us don't mind paying real money for things that have real worth. I payed fifty dollars for Neverwinter Nights when it came out, while my roommate had a 'free' copy the same day.

I will gladly pay money for something I like to make sure that the people who make it will make more. That's how the market economy works. If something has real value, it's only logical to compensate the persons who made it.

Which is entirely why I have never paid for Windows.

What's a linux? (1, Funny)

J Barnes (838165) | more than 9 years ago | (#12823281)

Sorry, I don't use linux and I openly profess my general ignorance.

That obviously makes me a minority around here. Twice over, in fact.

Re:Forgive my ignorance (0, Troll)

/ASCII (86998) | more than 9 years ago | (#12823254)

You misunderstand the way that patches work. It seems intuitive that when a patch is applied to a program, it is somehow sewed onto the program binary, much like you sew a patch onto a piece of clothing. If that where the case, programs would indeed get larger and larger, until all programs where made of 99% patches and all looked exactly alike.

The reason why this does not happen is that once a patch has been applied for a while, it is removed again. This is most apparent under Linux, where you can download a patch file and apply it directly to the source. Applying the patch will change the program, but will not consume or change the patch itself. Obviously, once the patch has been applied, it's code healing abilities kick in and remove any local vulnerabilities, after which the patch can be safely removed.

As a matter of fact, the exact same patch can be applied to multiple pieces of software, without destroying or diminishing the patch. Try it out for yourself! Be aware, though, that some patches are made to fit specific types of programs or bugs, so applying a patch made to fix a buffer overflow in firefox may fix similar bugs in Opera or Internet Explorer, they will most likely do very little to remove crash bugs in Open Office or Gnome.

M$ still pwnz Linuts (3, Funny)

Anonymous Coward | more than 9 years ago | (#12823115)

Why not just release a patch that uninstalls IE?

Re:M$ still pwnz Linuts (0)

Jorkapp (684095) | more than 9 years ago | (#12823322)

They already have. It's just too advanced for most users:

Step 1: format c:\
Step 2: Insert linux CD

Reminds me of the JPG buffer overflow (5, Insightful)

Nos. (179609) | more than 9 years ago | (#12823119)

After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.

Re:Reminds me of the JPG buffer overflow (1)

Junior J. Junior III (192702) | more than 9 years ago | (#12823164)

Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

Re:Reminds me of the JPG buffer overflow (4, Informative)

Cally (10873) | more than 9 years ago | (#12823283)

Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...

Re:Reminds me of the JPG buffer overflow (1)

swv3752 (187722) | more than 9 years ago | (#12823284)

I figured like how they discover all thier other flaws. Someone else tells them about it. I mean really, some "security reseacher" develops a "proof of concept" and sends it to MS. then they blackmail MS to release a patch in x amount time as they will release the "proof of concept" to the wild.

Re:Reminds me of the JPG buffer overflow (0)

Anonymous Coward | more than 9 years ago | (#12823176)

Myabe they did and it took them this long to fix it.

Re:Reminds me of the JPG buffer overflow (1)

CABAN (818466) | more than 9 years ago | (#12823288)

SANS.ORG [http://isc.sans.org/diary.php?date=2005-06-14 [sans.org] ] is reporting that these patches might restore program access defaults.

Microsoft... again (0, Flamebait)

MaxPowerDJ (888947) | more than 9 years ago | (#12823120)

Well, this would bring the grand total of hours spent on windows update a bit further... I'm switching to Mac! :P

Re:Microsoft... again (1)

LegendOfLink (574790) | more than 9 years ago | (#12823324)

You know, you DON'T HAVE TO UPDATE. I haven't updated my XP box for almost a year now. I'm still running SP1 and no anti-virus (I know how to use the TASKLIST command). Guess what, I have no problems, save for the occasional crash due to Photoshop being a bitch. The difference between my unpatched Windows not getting spyware/viruses is that I'm not a dumbass and try to download Buddy Handjob Bar or whatever it's called. That, and I use FireFox, which has NEVER failed me.

PNG??? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12823123)

Okay, I'm not familiar with IE's internals. But I still cannot understand how you'd introduce a remote execution vulnerability into "get PNG bits, arrange bits for display system" unless you were *trying* for that. Yeah, I know you have to allocate memory for the PNG, and I understand the problem probably comes from an overflow of that, but still, it makes me wonder just how badly written this stuff must be.

Re:PNG??? (3, Insightful)

LO0G (606364) | more than 9 years ago | (#12823190)

The same way that a remote execution overflow was in libXPM.

Google integer overflow vulnerability for more information.

Xroads (-1, Offtopic)

Kamic (723048) | more than 9 years ago | (#12823125)

ugh, trains always make me late for work, then once I get there patch trains delay me further patching away on clients and serversAnd THEN I get to read about how I should move to linux on /. Maybe I should join the dark side!

auto restart.. (-1, Redundant)

super_ogg (620337) | more than 9 years ago | (#12823132)

I hate how it comes up keeps reminding you to restart windows. What the hell? I'll restart when I want to you peice of shit.
ogg

New Microsoft Security Update (3, Funny)

PyWiz (865118) | more than 9 years ago | (#12823134)

Microsoft has released a free security update to Windows users today: Service Pack Linux. Service Pack Linux includes a fix for all IE vulnerabilities, as well as flaws in Outlook and Office. IIS users will be happy to know that Service Pack Linux will fix many problems with Microsoft's premier web server package as well. Service Pack Linux is considered the most comprehensive security fix in Windows history. Users should get it now at http://distrowatch.org/ [distrowatch.org]

Re:New Microsoft Security Update (2)

Carl_Cne (253854) | more than 9 years ago | (#12823172)

Re:New Microsoft Security Update (1)

walgurf (230232) | more than 9 years ago | (#12823369)

When Linux offers the same support for and number of games as Windoze, I'll switch. I guarantee if not for DirectX, Win would have half the non-corporate users that it has.

Damn (-1, Offtopic)

northcat (827059) | more than 9 years ago | (#12823137)

PNG eh? Too bad PNG is not good for pictures of Britney Spears [slashdot.org] .

Huh (-1)

Anonymous Coward | more than 9 years ago | (#12823138)

The patch train has just crashed.

Let the Microsoft Bashing Begin... (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12823140)

Oh.. wait. Its already started.

I'm man enough to give credit where credit is due... yay for speedy release of patches! Unlike Firefox that still has problems!

Re:Let the Microsoft Bashing Begin... (0, Funny)

Anonymous Coward | more than 9 years ago | (#12823202)

> I'm man enough to give credit where credit is due

...but apparently not man enough to post this stupid flame under your own account...

Headline: Bump, Set, Spike... (-1)

FerretFrottage (714136) | more than 9 years ago | (#12823149)

gosh how long til we see:
"And it's a total train wreck"

"And it's derailed"

"When Gates said 'security reigns', the developers heard 'trains' and they were no where near the station"

"If a Linux patch leave the {Linux dsitro city of choise} station at 3 PM and a MS patch leaves the Redmond station at 6 PM, how many people on /. will it take to claim First Post?"

Re:Headline: Bump, Set, Spike... (-1)

Anonymous Coward | more than 9 years ago | (#12823272)

Sixteen posts apparently.

Wasn't really worth waiting for, wish I didn't have the compulsion to dignify it with a response when it did come.

Glad to see /. is still adult enough to portray the Windows icon as being smashed and broken.

Glad to see wit in general is still going strong on Slashdot.

Before you gloat too much (4, Informative)

callipygian-showsyst (631222) | more than 9 years ago | (#12823150)

...Slashdot seemed to have missed this doozy from less than a month ago. [us-cert.gov]

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml [us-cert.gov]

Re:Before you gloat too much (1)

RaffiRai (870648) | more than 9 years ago | (#12823216)

For those who don't want to read, that's 10 vulnerabilities, 1 privledge escalation, 6 remote executions including buffer overflows, and one bluetooth attack.

Probably should have covered this on Slashdot.. patched or not, which I don't know, as it doesn't affect ones about Microsoft.

Re:Before you gloat too much (1)

callipygian-showsyst (631222) | more than 9 years ago | (#12823244)

For those who don't want to read, that's 10 vulnerabilities, 1 privledge escalation, 6 remote executions including buffer overflows, and one bluetooth attack.

Thanks for the summary. And that's my point! The Apple "true believers" have been led to think that there's some *radically different* in the design of their beloved operating system that makes it immune to these things. There isn't! It's the same crap!

Re:Before you gloat too much (1)

Timesprout (579035) | more than 9 years ago | (#12823302)

I think you have confused the word 'missed' with 'conveniently ignored'.

Re:Before you gloat too much (0)

Anonymous Coward | more than 9 years ago | (#12823316)

no, no, no... Apple and Linux are good.

Those are just some minor problems and it would take a lot of work to break anything. In fact, I don't think any programmer could do it really. OS X and Linux are too protected to just hack into like that. There are special code designs in the kernel.

Only Windows can have viruses, trojans, and stuff like that because OS X and Linux have Real Ultimate Power. That's why Slashdot doesn't post about anything other than the sucky Windows.

Re:Before you gloat too much (0)

gordon_schumway (154192) | more than 9 years ago | (#12823329)

...Slashdot seemed to have missed this doozy from less than a month ago.

Apple is switching to Intel!!!

Re:Before you gloat too much (0)

Anonymous Coward | more than 9 years ago | (#12823406)

Please mod this guy back up!!!

WTF (0)

Anonymous Coward | more than 9 years ago | (#12823335)

Where does gloating enter into it? All software should be patched, there's no doubt about that. We just like complaining because when Microsoft releases patches, it means more work for us (testing to make sure they don't break anything).

But honestly, anyone who complains about patches is, IMO, crazy. Would you rather they didn't patch at all???

Re:Before you gloat too much (0)

Anonymous Coward | more than 9 years ago | (#12823473)

I'm still gloating over the FBI stating that Macs have superior security.

It's SOVIET RUSSIA (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#12823160)

In America, you view PNG. In Soviet Russia, PNG views YOU!

To bad (2, Insightful)

MemoryDragon (544441) | more than 9 years ago | (#12823180)

I thought they might have fixed the png transparency bug, which was reported to them eight years ago... but no... just a buffer overflow.

Re:To bad (-1, Troll)

PsychicX (866028) | more than 9 years ago | (#12823310)

Typical slashdot ignorant idiot.

IEBlog on PNG transparency [msdn.com]
"The modifications to IE's image pipeline were required because transparency in IE has historically only included palette based transparency or binary transparency. The data structures and image formats necessary to pass around more complex transparency information were not available. Adding this information to the pipeline involved touching how all of the image decoders worked and were displayed. Additionally, functionality to perform the alpha blending needed to be hooked in."

Remember that IE6 is feature frozen right now, and is in a state of security fixes only. All of the new stuff is going into IE7.

Re:To bad (1)

MemoryDragon (544441) | more than 9 years ago | (#12823374)

I know about that, but this problem was reported 8 years ago! Another thing is the half broken CSS1 and the totally broken CSS2

Re:To bad (4, Insightful)

HiredMan (5546) | more than 9 years ago | (#12823433)

Yeah he's an idiot. How dare he criticize a program that's buggy. It's frozen from development and it's replacement will ship in 2 years or so, Stupid. So what if they never, ever fixed the PNG display pipeline since IE 6 shipped. Why should graphics display correctly - it's not like the web is a graphics medium, right?

Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...

=tkk

WSUS (2, Informative)

XorNand (517466) | more than 9 years ago | (#12823191)

For those admins who tend to a small MS shop and don't have the need for an expensive patch management solution, WSUS [computerworld.com] was released last week to replace the lame SUS (Software Update Services). I had to disable SUS due to some GPO issues, so I'm looking forward to checking out WSUS. And with this round of patches, it seems like the ideal time to test.

Re:WSUS (1)

CoffeeJedi (90936) | more than 9 years ago | (#12823250)

yeah, i just got the WSUS migration notice on the SUS control panel, i'll probably do that next week

SUS does its job, but i'm hoping for alot more control over patch management, its a very inelegant solution.

Re:WSUS (0)

Anonymous Coward | more than 9 years ago | (#12823465)

Make sure you have alot of extra disk space for the upgrade.

We upgraded ours, and within 2 weeks WSUS filled our system disk. (Even though the data files were supposedly on another disk. Growing binarys?)

Sure glad I don't have to do this crap (-1, Troll)

ch-chuck (9622) | more than 9 years ago | (#12823196)

I put Fedora Core release 3 on this notebook and have just 'used it' ever since. No monthy security updates, no worry about the worm de jour - I just use it to write and work with software that actually does something useful. It really fricking amazes me how much cpu time Windows users spend just patching holes in that leaky boat. Every time I turn on the Kim Commando show it's 75% virus, worms, attacks, malware, spyware, evil email, spoofing, phishing, on and on and on. I guess it just keeps the masses entertained with their gloat of computing power that they have no idea what to do with except follow the latest fashions in screensavers and toys, the drama of attack & defense, danger and rescue adds excietment to an otherwise boring appliance. Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.

Re:Sure glad I don't have to do this crap (1)

Foolomon (855512) | more than 9 years ago | (#12823253)

Your problem is that you listen to Kim Commando in the first place. :P

Re:Sure glad I don't have to do this crap (1, Informative)

callipygian-showsyst (631222) | more than 9 years ago | (#12823312)

Uh uh! You're in big trouble!

You'd better go here [fedoralegacy.org] and install the Fedora updates (three in the last month)!

Re:Sure glad I don't have to do this crap (0)

Anonymous Coward | more than 9 years ago | (#12823313)

You just started using your linux box & already started acting up? Wait till the next 'Core' is released by Fedora. You'll have to format & install everything again as most 'Cores' have a habit of breaking everything in their sight.

And, do I need to remind you about stability issues with Debian Sarge? I give you that Windows isn't an epitome of security, but ignoring FOSS issues & just plainly bashing is stupid.

Re:Sure glad I don't have to do this crap (1)

cortana (588495) | more than 9 years ago | (#12823427)

> And, do I need to remind you about stability issues with Debian Sarge?

Yes. No problems here...

Re:Sure glad I don't have to do this crap (1)

ChrisF79 (829953) | more than 9 years ago | (#12823365)

The Kim Commando show? Seriously, that show sounds like they put a phone in a mental institution and let the patients phone in. Please don't use that as your proxy.

Re:Sure glad I don't have to do this crap (3, Insightful)

ssj_195 (827847) | more than 9 years ago | (#12823403)

What an appalling display of "toeing the slashdot party line", and putrid arrogance and condescension, as well. Whoever modded this transparent tripe up should be ashamed of themselves.

The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.

I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).

Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.

Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.
Ugh.

Completely untrue (1)

Azureflare (645778) | more than 9 years ago | (#12823487)

WTF? Compile from source??

I use mandrake, I have since 9.0. I have _never_ had to compile the kernel from source. You urpmi the source from the command line. The mcc interface will NOT install the kernel automatically. You have to do it manually.

In older distributions, you would simply type urpmi kernel (or whichever of the other kernel's you're using, like enterprise, etc.). In the recent mandriva releases, you have to type urpmi kernel-2.6

Obviously you haven't been using linux often... Where did you get the impression that you "had" to compile it from the source package?

Re:Sure glad I don't have to do this crap (1)

a_greer2005 (863926) | more than 9 years ago | (#12823411)

Kim Kommando is not a person that I would trust or even listen to because she recomends the worst products, misses the obvious, free fixes for common problems in favor of the pricey ones. and she calles herself the "digital goddes"?? She is a bratty know it all

Want good tech radio? listen to Leo Lapporte on KFI on the weekends

Re:Sure glad I don't have to do this crap (0)

Anonymous Coward | more than 9 years ago | (#12823429)

You don't do updates then? Not even when the super-responsive OSS community bangs out streams of emergency fixes for bugs? Not even when a tiny fraction of those quick, small fixes close security holes?

Colleagues of mine used to run Linux like that. Their machines got rooted three times before they changed their minds.

Re:Sure glad I don't have to do this crap (1)

X_Bones (93097) | more than 9 years ago | (#12823494)

Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.

Or maybe you're just a pretentious holier-than-thou asshole who doesn't realize that some of us use Windows because that's what our products are delivered on, or we need a piece of legacy software to do our work, or our kids have Windows-only games, or we've never heard of Linux so we don't know there's alternatives to Microsoft, or our bank requires IE, or any of the other thousand and one reasons some people use it.

There's no need to assume we're all idiots, you know.

PS. phishing and spoofing are platform-agnostic. Without the right knowledge, your grandma would get owned by PayPal scammers no matter if she ran Windows or Warty (or anything else, for that matter).

The NSA (4, Funny)

Anonymous Coward | more than 9 years ago | (#12823240)

Never needed MSFT to put in a "backdoor" for them, specifically. Christ, they just needed the source-code so they could use all the ones there were already there.

Patch Patch (1)

sheepoo (814409) | more than 9 years ago | (#12823259)

Any new on latest FireFox vulnerabilites? Have they been patched?

Patch train!? (0, Offtopic)

LegendOfLink (574790) | more than 9 years ago | (#12823271)

Is that anything like Soul Train?

Wow. You'd think they'd get all these (0, Offtopic)

revscat (35618) | more than 9 years ago | (#12823277)

You know, at some point you just kinda figure that they'd get all these critical holes in their flagship software. I mean, call me crazy, but if you have $60+billion in cash in the bank and an army of tens of thousands, you'd THINK you could get the major problems taken care of.

You'd think.

It's crap like this that makes me wonder at the possibility of Apple eating Microsoft's lunch on the OS front.

Y:ou f4il it? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12823315)

used to. SHIT ON [goat.cx]

Venture to guess? (3, Insightful)

AyeRoxor! (471669) | more than 9 years ago | (#12823334)

exists due to the way the browser handles PNG (Portable Network Graphics) files."

Hmm... Buffer overflow maybe?

Buffer overflow is an amateur mistake. Check your god damn code.

/frustrated by lazy programmers

Re:Venture to guess? (5, Funny)

Joe Decker (3806) | more than 9 years ago | (#12823490)

Check your god damn code

Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.

Re:Venture to guess? (1)

a_greer2005 (863926) | more than 9 years ago | (#12823491)

I remember my C++ classes in High School, if our code had a buffer overrun, it was a letter grade (or more) off for sloppiness and error potential, we would also be told that it was unprofessional. Needless to say I made the buffer overflow mistake ONCE, not again.

mod the parent as high as possible because he is dead on!

PNG? (0)

Anonymous Coward | more than 9 years ago | (#12823368)

While they're messing with PNGs, they might as well fix their horrible support for the thing. Ever tried using transparency in IE? Boy doesn't that look nice. Cocksuckers.

Patches don't solve the problem on new installs (2, Interesting)

Whafro (193881) | more than 9 years ago | (#12823373)

It's happened to me twice now...

I'll install a vanilla copy of XP Pro onto a system, and within minutes of hooking the machine up to the network, it has become infected with a virus, basically requiring a reinstallation immediately.

My normal mode of installation is:

- Install XP
- Two IE windows open:
- One downloads Firefox
- The other goes to Windows Update and starts downloading patches.
- Download everything else using firefox, including drivers, etc.

But apparently Windows Update isn't a fast enough method to get the machine patched, and the machine is compromised before the appropriate patches are finished being applied.

I've made a "XP Install Disc 2" for myself, which has the full SP2 installer file, Firefox, Avast, Spybot, and Adaware on it, that I then install while the box is still offline. It seems that SP2 does well enough at plugging exploits that the system then has enough time to download the other patches normally without becoming compromised.

Does anyone have a better solution?

Re:Patches don't solve the problem on new installs (1)

Eric_Cartman_South_P (594330) | more than 9 years ago | (#12823431)

Try getting a hold of $40 and buy yourself a Linksys firewall. That would give you a TON of time to upgrade a naked box. (hehe, I just said naked box).

Re:Patches don't solve the problem on new installs (0)

Anonymous Coward | more than 9 years ago | (#12823458)

Yeah - slipstream SP2 and such onto the XP Pro installer and be patched from the beginning.

That and never hook a god damned windows machine directly to the internet --even a simple home router (linksys etc.) will keep the active attacks away.

Re:Patches don't solve the problem on new installs (1)

almostmanda (774265) | more than 9 years ago | (#12823460)

You could slipstream SP2 onto your install CD (search google for directions), so you don't have to race against time trying to get it installed before your machine is pwned. It'll just install with XP. Upon installing, if you're really paranoid, you could put a second firewall on your machine, like Kerio or Zone Alarm. After that, get updates and install antivirus and antispyware.

Re:Patches don't solve the problem on new installs (0)

Anonymous Coward | more than 9 years ago | (#12823461)

Enable the software firewall in XP ASAP.

If that doesn't work either, use a hardware firewall like those in home routers.

Re:Patches don't solve the problem on new installs (0)

Anonymous Coward | more than 9 years ago | (#12823464)

It's rather simple, really.

Use. A. Firewall.

Turn on the one in Windows XP if you have to -- or get a router.

Re:Patches don't solve the problem on new installs (1)

pstreck (558593) | more than 9 years ago | (#12823466)

use a better firewall. i run devil linux on a dedicated machine and use it as a router/firewall and never have a problem. on the other hand as soon as my younger brother takes his computer back to the dorm it gets infected... it's all whats on your network. cable users seem to be worse off due to the lan you are on with your infected neighbors.

Re:Patches don't solve the problem on new installs (0, Flamebait)

DrSkwid (118965) | more than 9 years ago | (#12823470)

> Does anyone have a better solution?

spend $30 on a NAT router, D U M B A S S

Re:Patches don't solve the problem on new installs (0)

Anonymous Coward | more than 9 years ago | (#12823478)

Get a tiny el-cheapo home router w/ a built-in firewall and NAT. Hook up through this before doing your install. Should stop the quickie hijackers that plague just having your machine plugged in.

Security Update for Windows XP (KB666) (2, Funny)

circletimessquare (444983) | more than 9 years ago | (#12823377)

A humor security issue has been identified that could allow a Slashbot to remotely compromise your sense of humor about Windows patches and bore you to death. You can help protect your sense of humor by installing this update from Microsoft. After you install this item, slashdot.org will resolve to 127.0.0.1 .

How to Uninstall

Read all comments rated as funny under a story about Windows Update on slashdot.org and your sense of humor will be successfully uninstalled.

Help and support

http://omgmstehsux0rs.slashdot.org/ [slashdot.org]

/.: 0wned by M$ (0)

Anonymous Coward | more than 9 years ago | (#12823395)

Stop running M$ ads! U look like ur 0wned by M$.

this is one (1)

suezz (804747) | more than 9 years ago | (#12823421)

train I don't ride anymore - thank goodness.
goodbye billy and steve - have fun with your os. glad you are thinking about security.

Few Points (1)

ilyanep (823855) | more than 9 years ago | (#12823455)

1. Why is it news when MS releases a patch? It happens every week.

2. First a JPG problem, then a PNG problem, so what's next? A GIF and a BMP problem? Or are we moving onto video formats next?

the problem isn't what it appears to be (3, Insightful)

cahiha (873942) | more than 9 years ago | (#12823481)

If you look at Macintosh, BSD, and Linux distributions, they also have regular security updates, with many similar vulnerabilities.

There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.

The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.

All aboard! (5, Funny)

AtariAmarok (451306) | more than 9 years ago | (#12823482)

"MS Patch Train Leaves the Station"

Otherwise known as the Bugwarts Express. To find the boarding platform, run your luggage cart full tilt into that blue screen.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?